GMS-2023-5095: aiohttp has vulnerable dependency that is vulnerable to request smuggling

November 27, 2023

Summary

llhttp 8.1.1 is vulnerable to two request smuggling vulnerabilities. Details have not been disclosed yet, so refer to llhttp for future information. The issue is resolved by using llhttp 9+ (which is included in aiohttp 3.8.6+).

References

github.com/advisories/GHSA-pjjw-qhg8-p2p9
github.com/aio-libs/aiohttp/commit/996de2629ef6b4c2934a7c04dfd49d0950d4c43b
github.com/aio-libs/aiohttp/commit/bcc416e533796d04fb8124ef1e7686b1f338767a
github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9

Code Behaviors & Features

Detect and mitigate GMS-2023-5095 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →